British and Dutch regulators fine Uber for 2016 data hack

(Reuters) – British and Dutch regulators on Tuesday fined ride-hailing service Uber [UBER.UL] for failing to guard clients’ private info throughout a 2016 cyber assault involving tens of millions of customers.

FILE PHOTO: The Uber software is seen on a cell phone in London, Britain, September 14, 2018. REUTERS/Hannah McKay/File Photo

Names, cell phone numbers and e-mail addresses had been compromised within the breach, which concerned 57 million customers worldwide. That included 2.7 million consumer accounts in Britain, representing the overwhelming majority of individuals utilizing the ride-hailing service within the nation.

“This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen,” ICO Director of Investigations Steve Eckersley mentioned in a press release.

“At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.”

The ICO additionally mentioned that the data of just about 82,000 drivers primarily based within the UK – which included particulars of journeys made and how a lot they had been paid – had been additionally taken in the course of the incident in October and November 2016.

The breach occurred earlier than the introduction of the General Data Protection Regulation (GDPR) earlier this 12 months, which might empower the ICO to concern fines as much as 17 million kilos or four p.c of an organization’s international turnover.

Uber, which has additionally confronted licensing issues in London and a long-running authorized battle over staff’ rights for its British drivers, mentioned it had modified data practices since 2016 and this 12 months employed a chief privateness officer and data safety officer.

“We’re pleased to close this chapter on the data incident from 2016,” Uber mentioned in a press release.

“As we shared with European authorities during their investigations, we’ve made a number of technical improvements to the security of our systems both in the immediate wake of the incident as well as in the years since.”

The breach affected 174,000 folks within the Netherlands and the Dutch DPA mentioned it was fining Uber for failing to report the incident inside 72 hours of its discovery.

Reporting by Alistair Smout in London and Muvija M in Bengaluru; Editing by David Goodman